The "Billing" page can be accessed by an anonymous user. I noticed this when logging in as a mostly unprivileged user that had REPORT_VIEW. I was able to access the Billing page, which didn't seem right. While still on that page I logged out and the page remained!
Tested using the "regular" branch (0.11) and the permission-enabled one.
- access a trac instance with timingandestimationplugin installed without logging in (or log out)
- go to the /Billing url
- Make some changes.
- see feedback that tickets are updated.
I have not checked that tickets are actually touched. But the anonymous user should not have access to the Billing Page by default!